| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.usergrid.security.shiro; |
| |
| |
| import org.apache.shiro.SecurityUtils; |
| import org.apache.shiro.authc.*; |
| import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher; |
| import org.apache.shiro.authc.credential.CredentialsMatcher; |
| import org.apache.shiro.authz.AuthorizationInfo; |
| import org.apache.shiro.authz.permission.PermissionResolver; |
| import org.apache.shiro.cache.CacheManager; |
| import org.apache.shiro.realm.AuthorizingRealm; |
| import org.apache.shiro.session.Session; |
| import org.apache.shiro.subject.PrincipalCollection; |
| import org.apache.shiro.subject.Subject; |
| import org.apache.usergrid.management.AccountCreationProps; |
| import org.apache.usergrid.management.ManagementService; |
| import org.apache.usergrid.persistence.EntityManagerFactory; |
| import org.apache.usergrid.security.shiro.credentials.*; |
| import org.apache.usergrid.security.shiro.principals.*; |
| import org.apache.usergrid.security.tokens.TokenService; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| import org.springframework.beans.factory.annotation.Autowired; |
| import org.springframework.beans.factory.annotation.Qualifier; |
| import org.springframework.beans.factory.annotation.Value; |
| |
| import java.util.Properties; |
| |
| import static org.apache.usergrid.management.AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_ALLOWED; |
| |
| |
| public class Realm extends AuthorizingRealm { |
| private static final Logger logger = LoggerFactory.getLogger( Realm.class ); |
| |
| public final static String ROLE_SERVICE_ADMIN = "service-admin"; |
| public final static String ROLE_ADMIN_USER = "admin-user"; |
| public final static String ROLE_ORGANIZATION_ADMIN = "organization-admin"; |
| public final static String ROLE_APPLICATION_ADMIN = "application-admin"; |
| public final static String ROLE_APPLICATION_USER = "application-user"; |
| |
| private EntityManagerFactory emf; |
| private ManagementService management; |
| private TokenService tokens; |
| private Properties properties; |
| |
| |
| @Value( "${" + PROPERTIES_SYSADMIN_LOGIN_ALLOWED + "}" ) |
| private boolean superUserEnabled; |
| @Value( "${" + AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_NAME + ":admin}" ) |
| private String superUser; |
| |
| |
| public Realm() { |
| setCredentialsMatcher(new AllowAllCredentialsMatcher()); |
| setPermissionResolver(new CustomPermissionResolver()); |
| } |
| |
| |
| public Realm( CacheManager cacheManager ) { |
| super( cacheManager ); |
| setCredentialsMatcher( new AllowAllCredentialsMatcher() ); |
| setPermissionResolver(new CustomPermissionResolver()); |
| setCachingEnabled(true); |
| setAuthenticationCachingEnabled(true); |
| } |
| |
| |
| public Realm( CredentialsMatcher matcher ) { |
| super(new AllowAllCredentialsMatcher()); |
| setPermissionResolver(new CustomPermissionResolver()); |
| } |
| |
| |
| public Realm( CacheManager cacheManager, CredentialsMatcher matcher ) { |
| super(cacheManager, new AllowAllCredentialsMatcher()); |
| setPermissionResolver( new CustomPermissionResolver() ); |
| setCachingEnabled(true); |
| setAuthenticationCachingEnabled(true); |
| } |
| |
| |
| @Override |
| public void setCredentialsMatcher( CredentialsMatcher credentialsMatcher ) { |
| if ( !( credentialsMatcher instanceof AllowAllCredentialsMatcher ) ) { |
| |
| if (logger.isDebugEnabled()) { |
| logger.debug("Replacing {} with AllowAllCredentialsMatcher", credentialsMatcher); |
| } |
| |
| credentialsMatcher = new AllowAllCredentialsMatcher(); |
| } |
| super.setCredentialsMatcher(credentialsMatcher); |
| } |
| |
| |
| @Override |
| public void setPermissionResolver( PermissionResolver permissionResolver ) { |
| if ( !( permissionResolver instanceof CustomPermissionResolver ) ) { |
| if (logger.isDebugEnabled()) { |
| logger.debug("Replacing {} with CustomPermissionResolver", permissionResolver); |
| } |
| permissionResolver = new CustomPermissionResolver(); |
| } |
| super.setPermissionResolver(permissionResolver); |
| } |
| |
| |
| @Autowired |
| public void setEntityManagerFactory( EntityManagerFactory emf ) { |
| this.emf = emf; |
| } |
| |
| |
| @Autowired |
| public void setManagementService( ManagementService management ) { |
| this.management = management; |
| } |
| |
| @Autowired |
| @Qualifier("properties") |
| public void setProperties( Properties properties ) { |
| this.properties = properties; |
| } |
| |
| |
| |
| @Autowired |
| public void setTokenService( TokenService tokens ) { |
| this.tokens = tokens; |
| } |
| |
| |
| @Override |
| protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) { |
| UsergridAuthorizationInfo info = (UsergridAuthorizationInfo)super.getAuthorizationInfo(principals); |
| |
| Subject currentUser = SecurityUtils.getSubject(); |
| Session session = currentUser.getSession(); |
| session.setAttribute( "applications", info.getApplicationSet()); |
| session.setAttribute("organizations", info.getOrganizationSet()); |
| if ( info.getOrganization() != null ) { |
| session.setAttribute( "organization", info.getOrganization() ); |
| } |
| if ( info.getApplication() != null ) { |
| session.setAttribute( "application", info.getApplication() ); |
| } |
| |
| return info; |
| } |
| |
| |
| @Override |
| protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token ) throws AuthenticationException { |
| PrincipalCredentialsToken pcToken = ( PrincipalCredentialsToken ) token; |
| |
| if ( pcToken.getCredentials() == null ) { |
| throw new CredentialsException( "Missing credentials" ); |
| } |
| |
| boolean authenticated = false; |
| |
| PrincipalIdentifier principal = pcToken.getPrincipal(); |
| PrincipalCredentials credentials = pcToken.getCredentials(); |
| |
| if ( credentials instanceof ClientCredentials ) { |
| authenticated = true; |
| } |
| else if ( ( principal instanceof AdminUserPrincipal ) && ( credentials instanceof AdminUserPassword ) ) { |
| authenticated = true; |
| } |
| else if ( ( principal instanceof AdminUserPrincipal ) && ( credentials instanceof AdminUserAccessToken ) ) { |
| authenticated = true; |
| } |
| else if ( ( principal instanceof ApplicationUserPrincipal ) |
| && ( credentials instanceof ApplicationUserAccessToken ) ) { |
| authenticated = true; |
| } |
| else if ( ( principal instanceof ApplicationPrincipal ) && ( credentials instanceof ApplicationAccessToken ) ) { |
| authenticated = true; |
| } |
| else if ( ( principal instanceof OrganizationPrincipal ) |
| && ( credentials instanceof OrganizationAccessToken ) ) { |
| authenticated = true; |
| } |
| |
| if ( principal != null ) { |
| if ( !principal.isActivated() ) { |
| throw new AuthenticationException( "Unactivated identity" ); |
| } |
| if ( principal.isDisabled() ) { |
| throw new AuthenticationException( "Disabled identity" ); |
| } |
| } |
| |
| if ( !authenticated ) { |
| throw new AuthenticationException( "Unable to authenticate" ); |
| } |
| |
| if (logger.isTraceEnabled()) { |
| logger.trace("Authenticated: {}", principal); |
| } |
| |
| return new SimpleAuthenticationInfo( pcToken.getPrincipal(), pcToken.getCredentials(), getName() ); |
| } |
| |
| |
| @Override |
| protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals ) { |
| UsergridAuthorizationInfo info = new UsergridAuthorizationInfo(); |
| |
| for ( PrincipalIdentifier principal : principals.byType( PrincipalIdentifier.class ) ) { |
| principal.grant( info, emf, management, tokens ); |
| } |
| |
| return info; |
| } |
| |
| |
| @Override |
| public boolean isAuthorizationCachingEnabled() { |
| return getCacheManager() != null; |
| } |
| |
| public boolean isAuthenticationCachingEnabled() { |
| return getCacheManager() != null; |
| } |
| |
| @Override |
| public boolean isCachingEnabled() { |
| return getCacheManager() != null; |
| } |
| |
| @Override |
| public void setCacheManager(CacheManager cacheManager) { |
| super.setCacheManager(cacheManager); |
| } |
| |
| @Override |
| public CacheManager getCacheManager() { |
| return super.getCacheManager(); |
| } |
| |
| @Override |
| public boolean supports( AuthenticationToken token ) { |
| return token instanceof PrincipalCredentialsToken; |
| } |
| } |